// https://syzkaller.appspot.com/bug?id=6225e7b911f6977538f7bd519ba9811d9fc2cb94 // autogenerated by syzkaller (http://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2) { if (a0 == 0xc || a0 == 0xb) { char buf[128]; sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, (uint8_t)a2); return open(buf, O_RDWR, 0); } else { char buf[1024]; char* hash; strncpy(buf, (char*)a0, sizeof(buf)); buf[sizeof(buf) - 1] = 0; while ((hash = strchr(buf, '#'))) { *hash = '0' + (char)(a1 % 10); a1 /= 10; } return open(buf, a2, 0); } } static void test(); void loop() { while (1) { test(); } } struct thread_t { int created, running, call; pthread_t th; }; static struct thread_t threads[16]; static void execute_call(int call); static int running; static int collide; static void* thr(void* arg) { struct thread_t* th = (struct thread_t*)arg; for (;;) { while (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) syscall(SYS_futex, &th->running, FUTEX_WAIT, 0, 0); execute_call(th->call); __atomic_fetch_sub(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 0, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); } return 0; } static void execute(int num_calls) { int call, thread; running = 0; for (call = 0; call < num_calls; call++) { for (thread = 0; thread < sizeof(threads) / sizeof(threads[0]); thread++) { struct thread_t* th = &threads[thread]; if (!th->created) { th->created = 1; pthread_attr_t attr; pthread_attr_init(&attr); pthread_attr_setstacksize(&attr, 128 << 10); pthread_create(&th->th, &attr, thr, th); } if (!__atomic_load_n(&th->running, __ATOMIC_ACQUIRE)) { th->call = call; __atomic_fetch_add(&running, 1, __ATOMIC_RELAXED); __atomic_store_n(&th->running, 1, __ATOMIC_RELEASE); syscall(SYS_futex, &th->running, FUTEX_WAKE); if (collide && call % 2) break; struct timespec ts; ts.tv_sec = 0; ts.tv_nsec = 20 * 1000 * 1000; syscall(SYS_futex, &th->running, FUTEX_WAIT, 1, &ts); if (running) usleep((call == num_calls - 1) ? 10000 : 1000); break; } } } } #ifndef __NR_openat #define __NR_openat 295 #endif #ifndef __NR_signalfd4 #define __NR_signalfd4 327 #endif #ifndef __NR_ioctl #define __NR_ioctl 54 #endif #ifndef __NR_mmap #define __NR_mmap 192 #endif #undef __NR_mmap #define __NR_mmap __NR_mmap2 long r[4]; void execute_call(int call) { switch (call) { case 0: syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); break; case 1: memcpy((void*)0x203c0fef, "/selinux/relabel", 17); r[0] = syscall(__NR_openat, 0xffffff9c, 0x203c0fef, 2, 0); break; case 2: *(uint64_t*)0x20f4e000 = 0; r[1] = syscall(__NR_signalfd4, r[0], 0x20f4e000, 8, 0); break; case 3: memcpy((void*)0x20ab9000, "/selinux/avc/hash_stats", 24); r[2] = syscall(__NR_openat, 0xffffff9c, 0x20ab9000, 0, 0); break; case 4: syscall(__NR_ioctl, r[0], 0x81785501, 0x20e5b000); break; case 5: syscall(__NR_ioctl, r[1], 0x5460, 0x20000ff8); break; case 6: syscall(__NR_mmap, 0x20000000, 0xfff000, 3, 0x32, -1, 0); break; case 7: memcpy((void*)0x208be000, "/dev/usbmon#", 13); r[3] = syz_open_dev(0x208be000, 0, 0); break; case 8: *(uint32_t*)0x203a5000 = 0x7fff; *(uint32_t*)0x203a5004 = 2; *(uint32_t*)0x203a5008 = 0x1ff; *(uint32_t*)0x203a500c = 0; *(uint32_t*)0x203a5010 = 0; *(uint8_t*)0x203a5014 = 0; *(uint8_t*)0x203a5015 = 0; *(uint8_t*)0x203a5016 = 0; *(uint8_t*)0x203a5017 = 0; *(uint8_t*)0x203a5018 = 0; *(uint8_t*)0x203a5019 = 0; *(uint8_t*)0x203a501a = 0; *(uint8_t*)0x203a501b = 0; *(uint8_t*)0x203a501c = 0; *(uint8_t*)0x203a501d = 0; *(uint8_t*)0x203a501e = 0; *(uint8_t*)0x203a501f = 0; *(uint8_t*)0x203a5020 = 0; *(uint8_t*)0x203a5021 = 0; *(uint8_t*)0x203a5022 = 0; *(uint8_t*)0x203a5023 = 0; *(uint8_t*)0x203a5024 = 0; *(uint8_t*)0x203a5025 = 0; *(uint8_t*)0x203a5026 = 0; *(uint8_t*)0x203a5027 = 0; *(uint8_t*)0x203a5028 = 0; *(uint8_t*)0x203a5029 = 0; *(uint8_t*)0x203a502a = 0; *(uint8_t*)0x203a502b = 0; *(uint8_t*)0x203a502c = 0; *(uint8_t*)0x203a502d = 0; *(uint8_t*)0x203a502e = 0; *(uint8_t*)0x203a502f = 0; *(uint8_t*)0x203a5030 = 0; *(uint8_t*)0x203a5031 = 0; *(uint8_t*)0x203a5032 = 0; *(uint8_t*)0x203a5033 = 0; *(uint8_t*)0x203a5034 = 0; *(uint8_t*)0x203a5035 = 0; *(uint8_t*)0x203a5036 = 0; *(uint8_t*)0x203a5037 = 0; *(uint8_t*)0x203a5038 = 0; *(uint8_t*)0x203a5039 = 0; *(uint8_t*)0x203a503a = 0; *(uint8_t*)0x203a503b = 0; *(uint8_t*)0x203a503c = 0; *(uint8_t*)0x203a503d = 0; *(uint8_t*)0x203a503e = 0; *(uint8_t*)0x203a503f = 0; *(uint8_t*)0x203a5040 = 0; *(uint8_t*)0x203a5041 = 0; *(uint8_t*)0x203a5042 = 0; *(uint8_t*)0x203a5043 = 0; *(uint8_t*)0x203a5044 = 0; *(uint8_t*)0x203a5045 = 0; *(uint8_t*)0x203a5046 = 0; *(uint8_t*)0x203a5047 = 0; *(uint8_t*)0x203a5048 = 0; *(uint8_t*)0x203a5049 = 0; *(uint8_t*)0x203a504a = 0; *(uint8_t*)0x203a504b = 0; *(uint8_t*)0x203a504c = 0; *(uint8_t*)0x203a504d = 0; *(uint8_t*)0x203a504e = 0; *(uint8_t*)0x203a504f = 0; *(uint8_t*)0x203a5050 = 0; *(uint8_t*)0x203a5051 = 0; *(uint8_t*)0x203a5052 = 0; *(uint8_t*)0x203a5053 = 0; *(uint8_t*)0x203a5054 = 0; *(uint8_t*)0x203a5055 = 0; *(uint8_t*)0x203a5056 = 0; *(uint8_t*)0x203a5057 = 0; *(uint8_t*)0x203a5058 = 0; *(uint8_t*)0x203a5059 = 0; *(uint8_t*)0x203a505a = 0; *(uint8_t*)0x203a505b = 0; *(uint8_t*)0x203a505c = 0; *(uint8_t*)0x203a505d = 0; *(uint8_t*)0x203a505e = 0; *(uint8_t*)0x203a505f = 0; *(uint8_t*)0x203a5060 = 0; *(uint8_t*)0x203a5061 = 0; *(uint8_t*)0x203a5062 = 0; *(uint8_t*)0x203a5063 = 0; *(uint8_t*)0x203a5064 = 0; *(uint8_t*)0x203a5065 = 0; *(uint8_t*)0x203a5066 = 0; *(uint8_t*)0x203a5067 = 0; *(uint8_t*)0x203a5068 = 0; *(uint8_t*)0x203a5069 = 0; *(uint8_t*)0x203a506a = 0; *(uint8_t*)0x203a506b = 0; *(uint8_t*)0x203a506c = 0; *(uint8_t*)0x203a506d = 0; *(uint8_t*)0x203a506e = 0; *(uint8_t*)0x203a506f = 0; *(uint8_t*)0x203a5070 = 0; *(uint8_t*)0x203a5071 = 0; *(uint8_t*)0x203a5072 = 0; *(uint8_t*)0x203a5073 = 0; *(uint8_t*)0x203a5074 = 0; *(uint8_t*)0x203a5075 = 0; *(uint8_t*)0x203a5076 = 0; *(uint8_t*)0x203a5077 = 0; *(uint8_t*)0x203a5078 = 0; *(uint8_t*)0x203a5079 = 0; *(uint8_t*)0x203a507a = 0; *(uint8_t*)0x203a507b = 0; *(uint8_t*)0x203a507c = 0; *(uint8_t*)0x203a507d = 0; *(uint8_t*)0x203a507e = 0; *(uint8_t*)0x203a507f = 0; *(uint8_t*)0x203a5080 = 0; *(uint8_t*)0x203a5081 = 0; *(uint8_t*)0x203a5082 = 0; *(uint8_t*)0x203a5083 = 0; *(uint8_t*)0x203a5084 = 0; *(uint8_t*)0x203a5085 = 0; *(uint8_t*)0x203a5086 = 0; *(uint8_t*)0x203a5087 = 0; *(uint8_t*)0x203a5088 = 0; *(uint8_t*)0x203a5089 = 0; *(uint8_t*)0x203a508a = 0; *(uint8_t*)0x203a508b = 0; *(uint8_t*)0x203a508c = 0; *(uint8_t*)0x203a508d = 0; *(uint8_t*)0x203a508e = 0; *(uint8_t*)0x203a508f = 0; *(uint8_t*)0x203a5090 = 0; *(uint8_t*)0x203a5091 = 0; *(uint8_t*)0x203a5092 = 0; *(uint8_t*)0x203a5093 = 0; *(uint8_t*)0x203a5094 = 0; *(uint8_t*)0x203a5095 = 0; *(uint8_t*)0x203a5096 = 0; *(uint8_t*)0x203a5097 = 0; *(uint8_t*)0x203a5098 = 0; *(uint8_t*)0x203a5099 = 0; *(uint8_t*)0x203a509a = 0; *(uint8_t*)0x203a509b = 0; *(uint8_t*)0x203a509c = 0; *(uint8_t*)0x203a509d = 0; *(uint8_t*)0x203a509e = 0; *(uint8_t*)0x203a509f = 0; *(uint8_t*)0x203a50a0 = 0; *(uint8_t*)0x203a50a1 = 0; *(uint8_t*)0x203a50a2 = 0; *(uint8_t*)0x203a50a3 = 0; *(uint8_t*)0x203a50a4 = 0; *(uint8_t*)0x203a50a5 = 0; *(uint8_t*)0x203a50a6 = 0; *(uint8_t*)0x203a50a7 = 0; *(uint8_t*)0x203a50a8 = 0; *(uint8_t*)0x203a50a9 = 0; *(uint8_t*)0x203a50aa = 0; *(uint8_t*)0x203a50ab = 0; *(uint8_t*)0x203a50ac = 0; *(uint8_t*)0x203a50ad = 0; *(uint8_t*)0x203a50ae = 0; *(uint8_t*)0x203a50af = 0; *(uint8_t*)0x203a50b0 = 0; *(uint8_t*)0x203a50b1 = 0; *(uint8_t*)0x203a50b2 = 0; *(uint8_t*)0x203a50b3 = 0; *(uint8_t*)0x203a50b4 = 0; *(uint8_t*)0x203a50b5 = 0; *(uint8_t*)0x203a50b6 = 0; *(uint8_t*)0x203a50b7 = 0; *(uint8_t*)0x203a50b8 = 0; *(uint8_t*)0x203a50b9 = 0; *(uint8_t*)0x203a50ba = 0; *(uint8_t*)0x203a50bb = 0; *(uint8_t*)0x203a50bc = 0; *(uint8_t*)0x203a50bd = 0; *(uint8_t*)0x203a50be = 0; *(uint8_t*)0x203a50bf = 0; *(uint8_t*)0x203a50c0 = 0; *(uint8_t*)0x203a50c1 = 0; *(uint8_t*)0x203a50c2 = 0; *(uint8_t*)0x203a50c3 = 0; *(uint32_t*)0x203a50c4 = 0x80000001; *(uint32_t*)0x203a50c8 = 0x52; *(uint8_t*)0x203a50cc = 0; *(uint8_t*)0x203a50cd = 0; *(uint8_t*)0x203a50ce = 0; *(uint8_t*)0x203a50cf = 0; *(uint8_t*)0x203a50d0 = 0; *(uint8_t*)0x203a50d1 = 0; *(uint8_t*)0x203a50d2 = 0; *(uint8_t*)0x203a50d3 = 0; *(uint8_t*)0x203a50d4 = 0; *(uint8_t*)0x203a50d5 = 0; *(uint8_t*)0x203a50d6 = 0; *(uint8_t*)0x203a50d7 = 0; *(uint8_t*)0x203a50d8 = 0; *(uint8_t*)0x203a50d9 = 0; *(uint8_t*)0x203a50da = 0; *(uint8_t*)0x203a50db = 0; *(uint8_t*)0x203a50dc = 0; *(uint8_t*)0x203a50dd = 0; *(uint8_t*)0x203a50de = 0; *(uint8_t*)0x203a50df = 0; *(uint8_t*)0x203a50e0 = 0; *(uint8_t*)0x203a50e1 = 0; *(uint8_t*)0x203a50e2 = 0; *(uint8_t*)0x203a50e3 = 0; *(uint8_t*)0x203a50e4 = 0; *(uint8_t*)0x203a50e5 = 0; *(uint8_t*)0x203a50e6 = 0; *(uint8_t*)0x203a50e7 = 0; *(uint8_t*)0x203a50e8 = 0; *(uint8_t*)0x203a50e9 = 0; *(uint8_t*)0x203a50ea = 0; *(uint8_t*)0x203a50eb = 0; *(uint8_t*)0x203a50ec = 0; *(uint8_t*)0x203a50ed = 0; *(uint8_t*)0x203a50ee = 0; *(uint8_t*)0x203a50ef = 0; *(uint8_t*)0x203a50f0 = 0; *(uint8_t*)0x203a50f1 = 0; *(uint8_t*)0x203a50f2 = 0; *(uint8_t*)0x203a50f3 = 0; *(uint8_t*)0x203a50f4 = 0; *(uint8_t*)0x203a50f5 = 0; *(uint8_t*)0x203a50f6 = 0; *(uint8_t*)0x203a50f7 = 0; *(uint8_t*)0x203a50f8 = 0; *(uint8_t*)0x203a50f9 = 0; *(uint8_t*)0x203a50fa = 0; *(uint8_t*)0x203a50fb = 0; *(uint8_t*)0x203a50fc = 0; *(uint8_t*)0x203a50fd = 0; *(uint8_t*)0x203a50fe = 0; *(uint8_t*)0x203a50ff = 0; *(uint8_t*)0x203a5100 = 0; *(uint8_t*)0x203a5101 = 0; *(uint8_t*)0x203a5102 = 0; *(uint8_t*)0x203a5103 = 0; *(uint8_t*)0x203a5104 = 0; *(uint8_t*)0x203a5105 = 0; *(uint8_t*)0x203a5106 = 0; *(uint8_t*)0x203a5107 = 0; *(uint8_t*)0x203a5108 = 0; *(uint8_t*)0x203a5109 = 0; *(uint8_t*)0x203a510a = 0; *(uint8_t*)0x203a510b = 0; syscall(__NR_ioctl, r[2], 0xc10c5541, 0x203a5000); break; case 9: syscall(__NR_mmap, 0x20ac6000, 0x4000, 0x1000004, 0x8011, r[3], 0); break; case 10: syscall(__NR_ioctl, r[3], 0x9204, 0xf0b1); break; } } void test() { memset(r, -1, sizeof(r)); execute(11); collide = 1; execute(11); } int main() { for (;;) { loop(); } }